Slashdot Mirror
EndGame CEO: Root Out Hackers Before They Strike (qz.com)
The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers. An anonymous reader quotes Nate Fick's article on Quartz:
Rather than relying on imperfect prevention techniques, or waiting for a breach to happen and then reacting to it, defenders need to 'turn the map around' and hunt proactively for the attackers in order to root out adversaries before they have a chance to do real damage. This is the next frontier of cybersecurity... the vast majority of cybersecurity spending is still going to prevention and perimeter security. Prevention is necessary, but it's not sufficient and it certainly doesn't justify 90 cents of every security dollar...
The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
The government has already figured this out. Across the Department of Defense, the intelligence community, and other forward-leaning agencies, this proactive hunting is already happening, and it's becoming more widespread. Enterprises need to embrace the same mindset.
Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
Seems like you just made yourself a target.
Wanna buy a shirt?
https://www.redbubble.com/people/stealthfinger/shop?asc=u
All well and good for nation states, but typically pro-active "defense" is known as 'attacking', which is almost always against the law when not done by a nation state...
If you minimise all threats where would security companies go?
Also please differentiate bad actors vs non dicks.
Without knowing what to exactly defend? There are many doors into these systems and one open door is all it takes for the entry.
That'll work. Yeah.
Just stop babbling nonsense. It seems that "we gotta get 'em basterds" makes for a better headline, but... every breach I've seen in the last years is due to *catastrophic negligence*. Including the (admittedly, for the time) very high tech Stuxnet thingie in Natanz. I mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports? And operators willing to stuff a $RANDOM_USB_STICK into that? Seriously?
How many levels of fail was this?
Now go through all the last breaches, and think again: how many levels of fail?
> Fick points out that despite $75 billion on enterprise-level security spending, more than three-quarters of Fortune 500 companies have been breached within the last year.
So stop buying snake oil and take your security seriously. It starts by educating your people, thinking hard about (gasp!) social factors, investing in people (double gasp!).
Next step is implementing technical measures. Make sure that someone in-house understands thoroughly what's going on. Resist the urge to buy the next shiny thing because the salespeople of this company look smartest: remember that the investment in those smart salespeople isn't going into hard core development -- and that's what you want.
Fick's an idiot. This kind of sabre-rattling is just a way to divert from realizing how sad the state of our industry is, where well-known "products" often enlarge your attack surface instead of reducing it.
Fick reminds me of some dictator in some semi-failed state making up an Enemy of the Nation to make people forget that their actual problem is internal corruption and missing crops.
"Instead, going on the offense and hunting for adversaries entails surveying your assets stealthily and continuously."
You mean like having a monitoring system in place? Checking for too many consecutive failed logins? Unauthorized IPs trying to connect to sensitive servers/devices? Checking to see if any IPs registered to APNIC have gotten logged in? Checking on the md5 hash of the /etc/password file and reporting whenever it changes? Installing an IPS in front of the edge of the network?
Can someone please help me understand what's so different about what this guy is proposing, vs common practices which already exists? What, he's going to develop an AI for IPS systems so we never need to feed them rules again?
If you are not aware it is possible to prove mathematically that a system has no exploits on a software level. If you want a secure system I would start with that.
How do you 'root out' a non-domestic hacker? Drone strikes?
But very little content in there. I did not read any form of plan.
Somebody really needs to DDOS Trump's internet connection.
Sleep your way to a whiter smile...date a dentist!
An anonymous reader quotes Nate Fick's article on Quartz
I could probably guess who that "anonymous reader" might be. Milking the Quartz article with a slashvertisement...
The US gov's idea on this is to incite hackers into an attack, then 'anonymously' dox them so the feds can move in. All the major players were burned by this one.
At least in Finland it is illegal to attack anyone, both computer attacks and physical attacks and in some cases even mental attacks are illegal.
It might be better to have a website where you can enter an IP address of the attacker and police or similar organization would then try to identify and contact the owner of that IP to inform them about the attack. Usually the IP belongs to a hacked computer and the owner is not aware of the situation. Alternatively just setup enough honeypots and listen the traffic yourself and do some action.
Read the article, and I honestly don't see his end goal.
Got the impression all he wants is penetration testing and security through obscurity, or monitor incoming traffic for "malicious intent".
I could be mistaken as the whole article was a bit of a buzzword bonanza.
A million *we needs* not one *how*.
Perimeter security?!? No, No, No! Every serious security professional knows that it does not work. Repeat after my: "Defense in-depth".
Threat Hunting isn't exactly a new concept, it's been around for ages.
But it seems someone, somewhere decided it is going to be the new "hype-base" for magical next generation boxes.. because the previous hype (Threat Intelligence) is dying.
So yeah, cue 2-3 years of "you must hunt proactively with our products"-hype
Attack is the best form of defence.
End-users, the "layer 8" of the OSI model. One way to stop a good chunk of intrusions: force everyone in your organization to go back to plain-text email. No more HTML emails, no more files attached to emails, no embedded links or graphics. Almost every time I read about some new ransomware hit, or most break-ins, it's always some phishing attack via email. Obviously these end-users aren't capable of being educated how to recognize them, so to me the only way to "fix" the problem is to BOFH the situation and remove the most commonly used paths of attack. Anyone who demands these "enhanced capabilities" should also be made to sign an addendum to their employment contract that they are financially responsible for any attacks that they allowed because they just "had to have the ability for people to send them files in their Outlook".
We should also root out murderers before they strike, by "determining" who will commit murder and punishing them while they are still innocent. Or maybe not.
Maybe this CEO is phenomenally dumb?
But the companies' (Endgame) blog pages has some actual concrete info. Reading over the site, much of what he talks about is already implemented, or at least there is software out there that companies can get (much of it open source). To quote his page Hunting on hosts:" running processes, active network connections, listening ports, artifacts in the file system, user logs, autoruns", using Yari, etc. BUT, at least this page isn't just "buy my product" but does give some tutorials / examples of how to use various free utilities (like Sysinternals, Yari with Powershell, Elasticsearch) and he even includes CLI examples. I'm bookmarking this and will read over it later when it's not 04:32 and I should be asleep instead of posting on Slashdot LOL.
There are about 2 million sixteen year old boys in the USA (alone). Of these a bunch are interested in computers. Just because "that's a large enough group", I'm ignoring the 15 year olds, 17 year olds and the girls.
And one day, one of them will spot a uid=1234 in the URL and try what happens if you change that into uid=1235. According to current laws that is considered hacking, and the culprit needs to go to jail. And you're going to predict which one of the two hundred thousand computer-interested sixteen year olds is going to do that? Good luck!
Here in Holland a some students noted that if they ordered pizza from a certain shop, they got sent to a page: "You owe us $15.60, how are you going to pay?". And the URL clearly had that 15.60 visible. So they decided to change that to "0.10". So then the page said: "You owe us $0.10, how are you going to pay?". So they chose a payment method, paid $0.10 and.... they got redirected to the pizza-site where it said: Thank you for your payment, your pizza is on its way!
In the case of the free pizzas, the company who created that stupid "don't check the amount" code should be liable. Checking that the right amount was paid is elementary to a payment system. Similarly not only checking that a user is logged in, but also checking that he/she is logged in as the RIGHT user is elementary.
You cannot blame the guy who stumbled upon this issue for "hacking". Sure, getting almost-free pizzas for a year is a bit unethical. It would be nice to inform the maintainers of the issue, but since when is being "not nice" going to land you in jail? Well, I'll tell you: since they adopted those anti-hacking laws. And for those, it doesn't matter if you're nice. If you ARE nice and report it, they can (and often do) throw you in jail anyway.
Is that endgame somehow connected to that "Endgame"?
Anyone knows a site that shares the solution of those puzzles?
bickerdyke
So we should shoot all 5-10 year olds that proves just a slight bit tech savvy because they may become the next generation hacker?
The reason it is defensive is because no one have done anything illegal until they have a breach. In which case we should investigate and prosecute them as hard as possible.
No Snowden-level breach, no sex-scandal of top-level political leaders or their families and no rape video of polidical dissidents.
Do you think IT department of Chinese government is amazingly good?
FTA:
Some worry that such an aggressive approach to defense and security may break laws. It does not. To be clear, proactive hunting is not “hacking back” or illegally “shooting back” at cyber adversaries beyond the infrastructure you own. Hunting is essential, while hacking back is illegal.
I can just hear it now - the sound of yet more privacy being trampled underfoot as all those 'proactive hunting' parties go traipsing through our virtual back yards.Lovely!
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
And deprive me of a treasure of laughs and giggles?
You can't take the biggest comedian on the planet from me! I mean, just read what he writes, he's acting like he's some kind of politician and proposing stuff that makes even old NK-Kim look sane, that guy's hilarious! He should have his own TV show if you ask me.
Thinking 'bout it, could it be that I've seen that face on TV at some point? Maybe it was while zapping, did he do stand-up somewhere in the past?
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
> Rather than relying on imperfect prevention techniques, or waiting for a breach to happen and then reacting to it, defenders need to 'turn the map around' and hunt proactively for the attackers in order to root out adversaries before they have a chance to do real damage.
First he'll never find them. Second even if he does, he'll commit a crime himself if he attacks them first, and what if he gets it wrong? And even if he does, what's he going to do? Load a virus onto some kids PC? And even if he does, so what? What this idiot hasn't factored into the equation is that companies have far more to lose both in promoting lawlessness and engaging in a pre-emptive battle with someone who has nothing to lose. And if some kid realizes he's about to the the target of a wrongful pre-emptive Fick attack, is that kid now legally justified to attack first? By Fick's law, YES! HE IS!
I'd call Fick a moron, but that is an insult to people born that way through no fault of their own, but for Fick, being a moron is a choice.
Fire all your local IT staff and get those super-smart H1B people.
It sure sounds like the sort of thing he'd write.
How about rooting out future CEOs before they have harebrained ideas. It's also much easier to predict. Just shoot every CEO during his inaugural speech.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
"They were considering maybe hacking us one day your honor, therefore we planted child porn on their computer making them pedophiles. They'll never get into elementary school now because they're sex offenders, protecting us from the hacking coding they never will have learned to do"
"I have no idea what half those words were but pedophiles are bad and you're a large company. Good work."
Please move along. This is just a man who has run out of ideas and is fantasizing about high valuations and using catch-phrases and buzzwords to paint a pretty picture for the press.
> End-users, the "layer 8" of the OSI model.
They are definitely the most vulnerable part. But don't get me wrong, it's not about blaming the users. They just want to get stuff done, it's their job. And they are put under considerable pressure at that.
It's the job of the organizations to strengthen the users and to raise their level of proficiency in understanding the issues involved. Heck, they are not stupid, in real life they wouldn't hand over their flat keys to a random stranger on the street (with a small note containing their address).
The security department's job is technical, but at the same time educational. It must encompass all the "stack", starting with the users.
As long as there is a "security department" making some magic stuff nobody else understands, and which is only perceived as an impediment to the daily chore, we've lost.
What if it were T-shirts that might disintegrate under certain conditions? We would know that the fabric wasn't well tested and it could break down, but we would not know exactly how, so we follow some of the steps suggested in the comments here. (1) We would find experts on disintegrating T-shirts and learn that fire would most certainly destroy them, but water might dissolve them as well. UV light might break down some of the fibers, so stay out of sunlight and don't spend too much time in certain kinds of fluorescent light. (2) Then we educate our people. (3) Then some teenage boys would aim a hose at some of the people wearing our T-shirts. (4) Our T-shirts would fall apart to the delight of some and horror of others. (5) We would scream, "Get those naughty boys!"--though some might be secretly applaud them. (6) When it kept happening, we would say, "We've got to round up teenage boys with hoses, water balloons, and super soakers."
Perhaps we might insist on better T-shirts but it is doubtful since the new T-shirts are just way cooler. It is easier to blame the boys.
I think money was better spend learning how to properly configure you corporate systems and actually learn how to make secure applications.. Some of the hack i have read have been bossible because some idiot didn't properly secure systems installed.
I could see where some government agencies would be proactively searching for offenders but this is a bit ridiculous. This aligns with the movie Minority Report (if you haven't seen it its not a bad flick, you could do more useless things with your time). Also, how would you tell a pen tester from a real risk? Some peoples 'good/revolutionary ideas' should be kept to themselves. Watch your own crap, block what you don't need contact with and lock down your internals as much as possible while still letting the end user do their job. If you let users have their personal devices on site then block social networking, webmail, cloud storage, etc. If some systems need access to certain remote resources your blocking, create a different subnet and allow that subnet out but monitor it.
Stop connecting everything to the internet
Hold C level officers criminally liable for breaches, including in government. The OPM, IRS and Target hacks should have resulted in the enablers going to jail.
The government has already figured this out. Across the Department of Defense, the
intelligence community, and other forward-leaning agencies
And then they died. The "intelligence community" is a misnomer. It is spy shit. A spy is not
trustworthy by definition. This story is bullshit. They are trying to justify spying on you, with
your tax dollars, to save you from enemy spies and hackers. They hack you. They spy on you. Spy and
hack go hand in hand.
Microsoft is not split in two. Nobody said shit about it. Now Windows is Global Mother Fucking
Spyware in totality. You think this is for your safety? It is the remnants of NWO bullshit plans by
Bush Sr.'s CIA, the Vatican and THEIR fake names, and Jew media pumping out whatever they want you to
believe.
With people cutting the cord and ditching cable because fuck the Jew commercials, the focus is now on .. name it. It was a grandiose
Internet bullshit. Forum confusion en masse. Google tracking all your surfing and Facebook
definitely having your IP addresses too... Amazon shopping habits
plot. 9/11 all that shit. George Bush Sr. and Saudi Arabia, how they doin? Spooks create a big
scare show then rush in to save you from their own bullshit narrative.
Any idea how fucked they are in the eyes of the Holy Spirit?
Also... "Anonymous" are Israeli state sponsored spies. See the link between Facebook.. Google.. CIA..
Israel "USA's friend of all friends".. Jewish media.. etc? China really likes Tim Cook's gay ass. No
such thing as a trustworthy homosexual.
The CEO of Endgame, Inc. is calling for an "offensive mindset" to defend enterprises from hackers.
In other words, this ignore the fact that most hacking incidents are the result of gross negligence and incompetence (most of that shit would be stopped on its track if people do their security homework and put the necessary money in IT and user training.)
Moreover, it tell us to go wild west hunting for hackers. How far would you take that? Hack others before they hack you? Block others that might be suspicious? Because if you take this shit to its logical conclusion, that is where we end up.
Look, just do your bloody homework when it comes to security.
When you give a chimp a gun, and the chimp shoots someone, you don't blame the chimp.
If we can't rely on organizations to adhere to frighteningly basic security concepts (usually at the core of these breaches) how can we trust them to hire a mercenary to go on the offensive against bad guys?
See subject (& more): APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...
Less power/cpu/ram + IO use vs. DNS/routers/addons/antivirus (slows you) + less security issues. Compliments firewalls (w/ layered drivers blocking less used IP addys vs. hosts blocking more used domains) & DNS (lightens dns load). Gets data via 10 security sites.
Ads rob bandwidth/speed, security (malvertising), privacy (tracking) + anonymity.
Hosts add speed (hardcodes/adblocks), security (bad sites/poisoned dns), reliability (dns down), & anonymity (dns requestlogs/trackers) natively. Hosts != ClarityRay blockable (vs. souled-out to admen inferior wasteful redundant slow usermode addons)
Works vs. caps & HTTP PUSH ads w/ firewalls.
Avg. webpage = big as Doom http://www.theregister.co.uk/2... & ads = 40% of it.
APK
P.S. - Safe https://www.virustotal.com/en/... (Verified by Malwarebytes' S. Burn "I've seen the code & it's safe" http://forum.hosts-file.net/vi... )
For those involved, your 75 Billion dollars is not worth as much as peoples freedom and rights. If you go down the path of pre-crime, many people will probably feel they have no choice but to respond with military force. It's a dangerous game, and I don't want to see violence in my country over stupidity.
I think what the EndGame CEO was trying to state was that security needs to focus more on indicators of compromise and less on "defense" against compromise. As a redteam hacker, I agree. The fact of the matter is that securing the perimeter and the endpoint against all attacks is an impossible exercise. Too many security teams have that type of mentality, "Oh, you got in? No worries, just tell us exactly what you did and we will block that specific attack vector." What they should be focusing on, is developing the capabilities to detect the intruder that has breached their defenses. We all like to talk about the magical "APT" that has unlimited time and resources and can teleport around your network without making a sound, but it just doesn't exist. Even a very advanced, skilled attacker, with months of time, is going to need to perform significant recon on the network. Much of that recon is atypical behavior for a non-malicious user.
Detecting malicious behavior isn't even that hard, it just takes some knowledge of what we hackers do. Alerting on specific domain events, looking for specific traffic patterns, and profiling normal system behavior. Even a small security shop can greatly benefit by well-placed honey pots around their network. These type of things are not visible to an attacker, and if your network is reasonably secure, the attacker is likely to trip over one or more of them before they get what they are after.
Basically what he's saying is "Arrest these hackers before they commit a crime" without ever knowing if they're actually being targeted by hackers or if the hackers are even committing a crime in the first place.
Sounds like wonderful precedent for a company to try establishing here in the USA.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
If this is a cyber war we are engaged in, mere defense is not enough. DDOSing botnets for instance, or counterattacks directly against black hats, but it's fair, as in all's fair in love and war.
I can see where a botnet seeking known MAC addresses and hammering them might result in black hats having to come up with new laptops, changing LAA, spending time responding to counterattacks, which impedes them at least minimally. Good work.
deleting the extra space after periods so i can stay relevant, yeah.
This will result in legislation or policy that will enable multi-national corporations to seize the equipment, investigate and hold anyone indefinitely with a computer who writes anything they object to. That's what this is about.
See subject: my other link shows ~60 antivir programs say it's safe + malwarebytes' code audit - sufficient proof my ware's safe backed by reputable sources in the field of security (best antimalware on the planet does the rest).
Lastly - Giving code to everyone produces Google's error here http://it.slashdot.org/story/1... & I don't allow that...
APK
P.S.=> You weak 'naysayers' (who haven't done better yourselves, mind you, lol) really REALLY ought to learn to read before you open your mouths and insert foot to "eat your words" (you do every single time, it's hilarious)... apk
I mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports?
If they had plugged up the USB ports with glue, which some companies actually do by the way, would you call them more or less ridiculous?
This comment is haxzor-smug, a form of posing.
take your security seriously. It starts by educating your people, thinking hard about (gasp!) social factors, investing in people (double gasp!).
Yes, please, step up to my tent. I'm offering "security training courses."
(It's not a bad idea. I'm just saying, once you get into this tone of voice, anything can be made to seem stupid to the imaginary peanut gallery by putting it in quotes.)
This kind of sabre-rattling is just a way to divert from realizing how sad the state of our industry is
Now we agree. The industry is in a really sad state. I'm nostalgic for the old days when we could blame everything on Windows.
The problems I see:
- Windows makes it "easy" to do many things, but read data off a USB stick without executing it isn't one of those things.
- Computers still try to draw lines between "read" and "execute," which were sane lines on a small machine but not fundamental. You could say a Word document is a program that executes inside the MS Word sandbox. Really we need to put all programs in a sandbox, and make that sandbox strong and meaningful to the user. Then, user-training becomes, "do not trust programs." Right now you are forced to trust desktop and mobile programs so the training would be unactionable and counterproductive, but on the web for example programs are sandboxed, and users can be trained to distrust them, somewhat.
- Windows programs merge into the system, changing it in arbitrary ways, silently running whenever they like. Not only is there no difference between code and data, there's no difference between a virus and a program besides human intent of the author. There is no "uninstall," there is only "voluntarily self-destruct." How are you supposed to add earthquake safety paint to that metaphor?
- C programmers punting to "all humans make mistakes which turn into bugs. It's unavoidable." I'm not so sure. ex., cheri-cpu.org can reduce the "buffer overflow surface" of C and C++ for a very cheap cost in gates, using old techniques from IBM mainframe days that were lost. We are treading water against a tide of security bugs, slowly drifting out to sea. What is the plan for getting back to shore? I see some people working on that, ignored. Meanwhile, both greedy-pundits and haxzor-smug pundits say, "paddle harder, doggie." Programmers at elite companies say, "we are great at security because we're so much better than ," when they should be using an absolute metric and realizing they are losing.
... anyone thought of this before?
How fucking clever.
Oh, wait ...
I had this goddam discussion with management back in 1996 all the way up until I retired in 2014.
They said, while it's a problem, it's an IT problem, and we get no funding for training, best-practice firewalls and shit like that.
My insistence that they change passwords at least once a decade, and to refrain from using the same simple password for EVERYTHING went ignored.
As a courtesy, I just sent them a mass email saying that I put every one of their emails into haveibeenpwned and they need to get their shit together.
They want me to CALL and explain.
If they won't listen in person over a period of years, a fucking phone call is a waste of my time.
I sent one more email pointing to retirement.
It little behooves the best of us to comment on the rest of us.
Donald, is that you?
Why bother securing your Apache/Nginx installation when it gives you a chance to be a loud drama queen complaining "some bad guy" hacked you?
.exe attachment? Its just Soooo fun to play "Kim Kardashian Solitaire"!!
Why bother migrating your outdated Windows XP machines to Linux, when you could instead have all the job security in the world - repairing virus-infected systems?
Why not open a
If your office is lazy, uses minimal passwords, doesn't update Windows or have antivirus, open ports everywhere, open wifi, uninformed employees - you will be hacked. This is how MOST of the hacking cases happen, and it doesn't require "climbing up the escalatory ladder" to fix - it requires that managers, bosses, and all employees stop resisting changes, stop using cloudy services for critical data, stop facebooking at work, migrate to Linux if possible, stop using naked ftp, etc. etc.. all been said before.
Stop hiring MBA's who focus on "synergy" and get some real programmers/engineers who have 20+ years of computer experience. Degrees are meaningless. "Instead of the traditional 'hacker with a hoodie,' companies must actively support diversity." - what the hell does that mean? "hacker with a hoodie".. you mean the person who probably knows the subject at hand best and doesn't happen to be a vapid fashionista airhead?
I don't like the noise of this "hunting" stuff. So much mention of "offensive hacking" and little mention of addressing COMPETENCE. Sounds like somebody that wants to go around picking fights - not protecting themselves. This "hunting" stuff only seems appealing to aggressively-minded individuals willing to get themselves into legal trouble and waste company time on speculative goose-chases they can do little-to-nothing about. I can picture it now.. some corporate "situation room" with everyone watching a hacker find the "adversary's" server, and promptly switching off his laptop saying "we found it, that's all we can do!" Good work team! Now That's Synergy!!!
Go apply some updates and stay out of other people's computers!
Seriously though ... the article makes a clear distinction between looking for intruders (legal) which the article advocates and "hacking back" (illegal) which it doesn't.
So this AC post is completely barking up the wrong tree (or a troll). I admit that the article is the usual clueless CEO bumf, but at least don't make it into something it isn't.
Either way there's nothing whatsoever "insightful" about this response.
Oh, let's go kill criminals oh better, lets go kill people before they commit a crime!
Da fuck?
Despot much?
Only myself & Mr. Burn of Malwarebytes have it & ~60 reputable sources say it's safe (keeping you safer & faster online).
Windows does use hosts (misinformation on your part = stupid).
APK
P.S.=> See subject & what I just wrote too - it all keeps it safe (but I wonder who keeps us all safe from a technical error spewing fool like you?)... apk
until executives start making security a priority, rather than a reflexive action, nothing will change. The majority of corporate boardrooms are filled with MBA types and people with sales backgrounds. Even in high tech companies, the tech founder usually gets squeezed out at some point to make room for the MBA that is going to grow the company.
Typically, MBA's and salespeople view security as a burden, a necessary evil, a nuisance. They would rather allocate funds to marketing. Or the latest diversity flavor of the week. IT in general is viewed as a cost center and data security gets lumped in with that. Most corporate leaders don't really understand IT security because they generally don't come from an IT background. So it gets treated as an afterthought and, predictably, the IT folks are left to stamp out the resulting brush fires.
Standard operating procedure:
1) Send everyone a letter telling them that their credentials have been compromised
2) Offer them 6 months of free credit monitoring
3) Issue them a new card
4) Encourage the customer to change their password
5) Sweep it under the rug
Him pointing out that $75 billion was spent reminds me of the 'Tommy Boy' speech Farley gives that ends partly with "Because they know all they sold ya was a guaranteed piece of shit. That's all it is, isn't it? Hey, if you want me to take a dump in a box and mark it guaranteed, I will. I got spare time"
and trust that Endgame's pre-hack pre-crime unit will quickly weed out all the
"I hereby label Nick Fink as a security risk, a potential terrorist, a possible molester and an unperson.
Worse, he is not a team player.
Based on this irrefutable accusation, and the serious risk of Pre-Crime ... I demand that he be neutralised.
Either interned for life or simply eliminated.
I cannot allow the evidence for this to be scrutinised, since our security, nay our very freedom, depends on secrecy.
Dissent or protest will prove the accusation."
Fascists. We know how this ends.
(R)ule in Hell or (S)erve in Heaven [R]?
Here we go with the punish-before-crime movement
Did you fools learn NOTHING from Gitmo?
All you do with arrests (or attacks) PRIOR to any crime is make angry people into enemies dedicated to your destruction
They've worked so well in the past! Next we just need thoughtcrime, and everyone will live happily ever after.
https://www.eff.org/https-everywhere
Can't we just avoid all those "don't do dangerous things" by using ChromeOS? (especially for office staff) Hear me out before you call me wrong. Macos is better than windows, but you have to install virus checker, keep updating endless office security fixes, and security fixes for tons of other apps, and lots of people never do them unless they are automatically done.
ChromeOS hasn't had any attacks, other than the ones google has paid for at hacking contests. It's an os made by human kind, but so far it's been great. That's a huge advantage. OS updates come automatically (just reboot). It has built in support for the office format. It's the standard web browser. I use it to read and write office docs and send them back to others. It appears to work well enough that millions of people are using it.
Again, no attacks. No anti-virus to install. No painful OS upgrades - it just happens. It's not for everyone, especially devs - you can't run visual studio. Devs might need something else. But it works for office, web, simple image editing. And this is before the world of android apps come there.
Stop the race to the bottom, CEOs. Stop outsourcing, CEOs. Stop hiring H1Bs, Microsoft, and others. Kind of hard to do, when the CEO, himself, is a former H1B. Up your IT budgets, corporations, and bring IT back inhouse. Cross-pollinate between IT and business and production departments. Make programs readable, like they used to be with the early compilers. Used to be the user departments could read the code generated by IT and understand it.
Anomaly detection and whitelisting are measures that already exist in actual code that can run on a real computer right now. Monitoring and alerting tools are becoming commonplace, and we even have an acronym or two to sum up the process (thinking of SIEM here). So this call-to-arms is either late or stupid, depending on how far it intends go.
Assuming the attacker has half a brain, he will proxy his inputs and outputs through intermediate devices. Compromised servers, botnets, whatever. This pro-active approach will yield little usable information without tracking him down, finding his tools, or locating his caches of stolen data.
In order to do any of that, your company must gain access to those proxy devices to see where he is coming from or to gather incriminating data if any exists. But wait---unauthorized access of a computer is against US law. The CFAA does not have any exemptions for IT vigilantism.
So you must commit the same crime in order to catch the attacker. Unless he's incompetent enough to attack from his own home or office.
At best, this is a call to use tools that any information security professional should already be aware of. It's nothing more than a glorified advertisement for their products. At worst, it is an encouragement to cross the line into vigilantism---which can have legal consequences.
---
According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
" mean: a SCADA for a friggin' enrichment facility hanging off fucking Windows computers with open USB ports" The Windows computer in question was not connected to the internet. This alone greatly reduced the chances of someone hacking into their systems. The computer infected was also located in one of Iran's most guarded facilities. To develop and deploy this virus required inside help. The developers of Stuxnet had to have created a SCADA test bed mimicking the setup in the Iranian lab for testing and you can't obtain that type of information from a satellite. Someone had to physically walk the infected USB drive into the lab and stick it in a USB port. This person would have faced certain death if uncovered. This same person may have also made sure the USB port was enabled.